Monday, June 23, 2008

Welcome, we're glad you could join us.

Welcome, we're glad you could join us. Thanks for coming, let us know if you have any questions.

This is the way we should greet people joining us in almost any activity; but sadly it is not the greeting many get from some in the security community. If you don't have the same scrap of paper on the wall that they do, or don't have the same level or area of expertise, or dare to challenge their sacred truths, you don't belong with them- at least according to some "security professionals". That attitude is stupid, egotistical and counterproductive. In case you hadn't noticed, the other team found out that there is money to be made in attacking our systems and we need all the help we can get.

I am not saying every group or gathering is the ideal venue for everyone, but that usually becomes obvious quickly and doesn't need to be pointed out to new folks- let them decide what is right for themselves. Nor am I suggesting that groups can't have prerequisites or expect some level of expertise, but that should be clear up front and the requirements should be logical. (For example, InfraGard's background checks make sense, the private CISSP forum should be able to limit membership to CISSPs, etc.)

What should not happen is for someone to show up for a publicly advertised meeting or event and be ignored or dismissed for being curious enough to show up and see what is happening.

Rather than name the offenders, I will say that the groups and events I frequently discuss appeal to me in part because of their openness- NAISG, BeanSec!, SNENUG, SOURCE Boston, and Shmoocon to name a few.